Beginning the Configuration
Now that you know the features and functions of the ASA and the core concepts of what it can do (for example, stateful filtering, packet filtering, NAT), it is time to put those concepts into practice.
Most of the time, you will be dealing with a firewall that is already configured and in a production network. If so, you just use the CLI, ASDM, or CSM (if your company owns CSM) to manage the device. However, if it is a brand new firewall and has no configuration, you want to establish a console port connection to it, power up the firewall, and set your terminal emulation program to connect through the serial cable using 9600 bits per second, no parity, 8 data bits, and 1 stop bit. In your terminal emulation program, you press the Enter key on your keyboard to initialize the CLI EXEC session to the ASA. With the console connection, if you watch the ASA power up, a Cisco ASA 5512-X boot looks similar to what is shown in Example 16-1.
Example 16-1 Initial Boot of a Cisco ASA 5512-X
CISCO SYSTEMS
Cisco BIOS Version:9B2C106A
Build Date:11/10/2011 09:59:37
CPU Type: Intel(R) Pentium(R) CPU G6950 @ 2.80GHz, 2793 MHz
Total Memory:4096 MB(DDR3 1066)
System memory:624 KB, Extended Memory:3573 MB
PCI Device Table:
Bus Dev Func VendID DevID Class IRQ
---------------------------------------------------------
00 00 00 8086 0040 Bridge Device
00 06 00 8086 0043 PCI Bridge,IRQ=11
00 16 00 8086 3B64 I/O Port Device,IRQ=11
00 1A 00 8086 3B3C USB Controller,IRQ=11
00 1C 00 8086 3B42 PCI Bridge,IRQ=10
00 1C 04 8086 3B4A PCI Bridge,IRQ=10
00 1C 05 8086 3B4C PCI Bridge,IRQ=11
00 1D 00 8086 3B34 USB Controller,IRQ=7
00 1E 00 8086 244E PCI Bridge
00 1F 00 8086 3B16 Bridge Device
00 1F 02 8086 3B22 SATA DPA,IRQ=5
00 1F 03 8086 3B30 SMBus,IRQ=11
01 00 00 10B5 8618 PCI Bridge,IRQ=11
02 01 00 10B5 8618 PCI Bridge,IRQ=10
02 03 00 10B5 8618 PCI Bridge,IRQ=5
02 05 00 10B5 8618 PCI Bridge,IRQ=10
02 07 00 10B5 8618 PCI Bridge,IRQ=5
02 09 00 10B5 8618 PCI Bridge,IRQ=10
02 0B 00 10B5 8618 PCI Bridge,IRQ=5
02 0D 00 10B5 8618 PCI Bridge,IRQ=10
02 0F 00 10B5 8618 PCI Bridge,IRQ=5
03 00 00 8086 10D3 Ethernet,IRQ=10
04 00 00 8086 10D3 Ethernet,IRQ=5
05 00 00 8086 10D3 Ethernet,IRQ=10
07 00 00 8086 10D3 Ethernet,IRQ=10
08 00 00 8086 10D3 Ethernet,IRQ=5
09 00 00 8086 10D3 Ethernet,IRQ=10
0B 00 00 177D 0010 Cavium Encryption,IRQ=11
0C 00 00 8086 10D3 Ethernet,IRQ=11
0D 00 00 1A03 1150 PCI Bridge,IRQ=10
0E 00 00 1A03 2000 VGA,IRQ=10
FF 00 00 8086 2C61 Bridge Device
FF 00 01 8086 2D01 Bridge Device
FF 02 00 8086 2D10 Bridge Device
FF 02 01 8086 2D11 Bridge Device
FF 02 02 8086 2D12 Bridge Device
FF 02 03 8086 2D13 Bridge Device
Booting from ROMMON
Cisco Systems ROMMON Version (2.1(9)8) #1: Wed Oct 26 17:14:40 PDT 2011
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Launching BootLoader...
Boot configuration file contains 1 entry.
Loading disk0:/asa913-smp-k8.bin... Booting...
Platform ASA5512
Loading...
IO memory blocks requested from bigphys 32bit: 32540
?dosfsck 2.11, 12 Mar 2005, FAT32, LFN
Starting check/repair pass.
Starting verification pass.
/dev/sda1: 188 files, 286777/1005579 clusters
dosfsck(/dev/sda1) returned 0
Processor memory 1705463808, Reserved memory: 0
Total NICs found: 11
i82574L rev00 Gigabit Ethernet @ irq10 dev 0 index 06 MAC: c464.1339.86d9
i82574L rev00 Gigabit Ethernet @ irq10 dev 0 index 05 MAC: c464.1339.86dc
i82574L rev00 Gigabit Ethernet @ irq05 dev 0 index 04 MAC: c464.1339.86d8
i82574L rev00 Gigabit Ethernet @ irq05 dev 0 index 03 MAC: c464.1339.86db
i82574L rev00 Gigabit Ethernet @ irq10 dev 0 index 02 MAC: c464.1339.86d7
i82574L rev00 Gigabit Ethernet @ irq10 dev 0 index 01 MAC: c464.1339.86da
i82574L rev00 Gigabit Ethernet @ irq11 dev 0 index 00 MAC: c464.1339.86d6
ivshmem rev03 Backplane Data Interface @ index 07 MAC: 0000.0001.0002
en_vtun rev00 Backplane Control Interface @ index 08 MAC: 0000.0001.0001
en_vtun rev00 Backplane Int-Mgmt Interface @ index 09 MAC: 0000.0001.0003
en_vtun rev00 Backplane Ext-Mgmt Interface @ index 10 MAC: 0000.0000.0000
Verify the activation-key, it might take a while...
Running Permanent Activation Key: 0xc02eda7a 0x30a99862 0xd992f9c8 0xd29cb818
0x8c2fe5bd
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 5 perpetual
GTP/GPRS : Enabled perpetual
AnyConnect Premium Peers : 100 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 250 perpetual
Total VPN Peers : 250 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco VPN Phone : Enabled perpetual
Advanced Endpoint Assessment : Enabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Enabled perpetual
IPS Module : Enabled perpetual
Cluster : Enabled perpetual
This platform has an ASA 5512 Security Plus license.
Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x1)
Boot microcode : CNPx-MC-BOOT-2.00
SSL/IKE microcode : CNPx-MC-SSL-PLUS-T020
IPSec microcode : CNPx-MC-IPSEC-MAIN-0026
Cisco Adaptive Security Appliance Software Version 9.1(3)
****************************** Warning *******************************
This product contains cryptographic features and is
subject to United States and local country laws
governing, import, export, transfer, and use.
Delivery of Cisco cryptographic products does not
imply third-party authority to import, export,
distribute, or use encryption. Importers, exporters,
distributors and users are responsible for compliance
with U.S. and local country laws. By using this
product you agree to comply with applicable laws and
regulations. If you are unable to comply with U.S.
and local laws, return the enclosed items immediately.
A summary of U.S. laws governing Cisco cryptographic
products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by
sending email to [email protected].
******************************* Warning *******************************
This product includes software developed by the OpenSSL Project
for use in the OpenSSL Toolkit (http://www.openssl.org/)
Copyright (C) 1995-1998 Eric Young ([email protected])
All rights reserved.
Copyright (c) 1998-2011 The OpenSSL Project.
All rights reserved.
This product includes software developed at the University of
California, Irvine for use in the DAV Explorer project
(http://www.ics.uci.edu/~webdav/)
Copyright (c) 1999-2005 Regents of the University of California.
All rights reserved.
Busybox, version 1.16.1, Copyright (C) 1989, 1991 Free Software Foundation, Inc.
51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
Busybox comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual ("Licensing") for details.
DOSFSTOOLS, version 2.11, Copyright (C) 1989, 1991 Free Software Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111-1307
675 Mass Ave, Cambridge, MA 02139
DOSFSTOOLS comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual ("Licensing") for details.
grub, version 0.94, Copyright (C) 1989, 1991 Free Software Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111-1307
grub comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual ("Licensing") for details.
libgcc, version 4.3, Copyright (C) 2007 Free Software Foundation, Inc.
libgcc comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual ("Licensing") for details.
libstdc++, version 4.3, Copyright (C) 2007 Free Software Foundation, Inc.
libstdc++ comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual ("Licensing") for details.
Linux kernel, version 2.6.29.6, Copyright (C) 1989, 1991 Free Software
Foundation, Inc.)
51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
Linux kernel comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual ("Licensing") for details.
module-init-tools, version 3.10, Copyright (C) 1989, 1991 Free Software
Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
module-init-tools comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual ("Licensing") for details.
numactl, version 2.0.3, Copyright (C) 2008 SGI.
Author: Andi Kleen, SUSE Labs
Version 2.0.0 by Cliff Wickman, Christopher Lameter and Lee Schermerhorn
numactl comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual ("Licensing") for details.
pciutils, version 3.1.4, Copyright (C) 1989, 1991 Free Software Foundation, Inc.
51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
pciutils comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are Public License v.2
(http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual ("Licensing") for details.
qemu, version 0.12.5, Copyright (C) 1989, 1991 Free Software Foundation, Inc.
51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
qemu comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual ("Licensing") for details.
qemu-KVM Inter-VM Shared Memory Patch, version 1.0,
Copyright (C) 2009 Cam Macdonell
qemu-KVM Inter-VM Shared Memory Patch comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual ("Licensing") for details.
readline, version 5.2, Copyright (C) 1989, 1991 Free Software Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111 USA
readline comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual ("Licensing") for details.
udev, version 146, Copyright (C) 1989, 1991 Free Software Foundation, Inc.
51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
udev comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual ("Licensing") for details.
Cisco Adaptive Security Appliance Software, version 9.1,
Copyright (c) 1996-2013 by Cisco Systems, Inc.
Certain components of Cisco ASA Software, Version 9.1 are licensed under the GNU
Lesser Public License (LGPL) Version 2.1. The software code licensed under LGPL
Version 2.1 is free software that comes with ABSOLUTELY NO WARRANTY. You can
redistribute and/or modify such LGPL code under the terms of LGPL Version 2.1
(http://www.gnu.org/licenses/lgpl-2.1.html). See User Manual for licensing
details.
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
Reading from flash...
Flash read failed
ERROR: MIGRATION - Could not get the startup configuration.
Cryptochecksum (changed): d41d8cd9 8f00b204 e9800998 ecf8427e
INFO: Power-On Self-Test in process.
.................................................................
INFO: Power-On Self-Test complete.
INFO: Starting HW-DRBG health test...
INFO: HW-DRBG health test passed.
INFO: Starting SW-DRBG health test...
INFO: SW-DRBG health test passed.
Pre-configure Firewall now through interactive prompts [yes]?
At this point, to initially bootstrap the ASA, you can press Enter to tell the ASA that you want to use the interactive prompts for the initial setup. If you answer no to this, you can later run the setup command to return to this script. The objective here is to give the ASA enough basic information so that you can connect to it via ASDM and then use ASDM to configure the rest of it. As we work through this example, we look at both the configuration done through the ASDM and from the CLI. If you answer yes, we can supply the basic information needed for connectivity on the ASA by the ASDM, as shown in Example 16-2.
Example 16-2 Running the Initial Setup Script on the ASA
Pre-configure Firewall now through interactive prompts [yes]? yes
! By pressing the Enter key, the value in the brackets, such as the [yes}
! above will be accepted.
! The other option would be transparent mode (non-routed)
Firewall Mode [Routed]:
! Please use a password that is more secure than this example
Enable password [<use current password>]: Sup3rs3crtP4ss
! pressing enter will accept the option presented in the brackets
Allow password recovery [yes]?
Clock (UTC):
Year [2013]:
Month [Mar]:
Day [2]:
Time [17:34:41]:
! this will be the IP address on the logical interface VLAN1
! remember all eight switch ports belong to this VLAN by default
! we could use any of the eight ports to connect ASA to our network
! it will name this interface "management", and give it a security level
! of zero you will want to plan ahead of time regarding which IP address
! to use
Management IP address: 192.168.1.254
Management network mask: 255.255.255.0
Host name: ASA1
Domain name: example.org
! the ASA doesn't allow any ASDM/HTTPS connections to it by default
! it will ask for the address of your computer that you will be using
! to access ASDM, and allow that connection
IP address of host running Device Manager: 192.168.1.7
! a summary is provided before asking you to confirm
The following configuration will be used:
Enable password: cisco123
Allow password recovery: yes
Clock (UTC): 12:34:41 Nov 2 2014
Firewall Mode: Routed
Management IP address: 192.168.1.254
Management network mask: 255.255.255.0
Host name: ASA1
Domain name: example.org
IP address of host running Device Manager: 192.168.1.7
! if everything looks right you can type yes and press enter to implement
! the changes
Use this configuration and write to flash? yes
INFO: Security level for "management" set to 0 by default.
! it takes a few moments for the self signed certificate to be generated
! by the ASA for use with SSL, so the warning below is only relevant
! for the first few seconds, and then will be ok.
WARNING: http server is not yet enabled to allow ASDM access.
Cryptochecksum: 3001087b 2c98260b a4ed70b8 06b690d6
2052 bytes copied in 0.730 secs
Type help or '?' for a list of available commands.
ASA1>
As a good initial check to verify that connectivity is at least working from an IP perspective, you can ping a device on the local network (be sure to verify it is a device that is willing to respond to a ping request), as shown in Example 16-3.
Example 16-3 Issuing an ICMP Echo Request (Ping) from the ASA
ASA1# ping 192.168.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/28/130 ms
ASA1#